CVE-2022-24839

Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

org.cyberneko.html es un analizador de HTML escrito en Java. El fork de "org.cyberneko.html" usado por Nokogiri (Rubygem) lanza una excepción "java.lang.OutOfMemoryError" cuando analiza marcas HTML mal formadas. Es recomendado a usuarios actualizar a "versiones posteriores a 1.9.22.noko2 incluyéndola". Nota: La biblioteca "org.cyberneko.html" ya no es mantenida. Nokogiri usa su propia bifurcación de esta biblioteca ubicada en https://github.com/sparklemotion/nekohtml y esta CVE sólo es aplicada a esa bifurcación. Otros forks de nekohtml pueden presentar una vulnerabilidad similar

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-04-11 CVE Published
2023-12-01 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d	2023-02-23
https://www.oracle.com/security-alerts/cpujul2022.html	2023-02-23

URL	Date	SRC
https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv	2023-02-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nekohtml Project Search vendor "Nekohtml Project"		Nekohtml Search vendor "Nekohtml Project" for product "Nekohtml"				< 1.9.22.noko2 Search vendor "Nekohtml Project" for product "Nekohtml" and version " < 1.9.22.noko2"		nokogiri		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected